CVE-2023-47801
low-risk
Published 2023-11-13
An issue was discovered in Click Studios Passwordstate before 9811. Existing users (Security Administrators) could use the System Wide API Key to read or delete private password records when specifically used with the PasswordHistory API endpoint. It is also possible to use the Copy/Move Password Record API Key to Copy/Move private password records.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Passwordstate
Affected Vendors
References (2)
Vendor Advisory
https://www.clickstudios.com.au/security/advisories/
Vendor Advisory
https://www.clickstudios.com.au/security/advisories/
24
/ 100
low-risk
Severity
19/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal